"This is an exciting product. Let's send out information about this to all previous customers!" A spirited marketing idea that many of us probably recognize.
But the guidelines of the responsible authorities are clear: Personal data may only be collected for "specific, explicit and legitimate purposes". This means that in each project we need to be clear about why, to what and for how long we should process personal data.
In addition, the objectives must be specific and concrete, not vague or unclear. It’s not enough that the aim is solely to "improve the user experience", "cyber security" or "future research". It’s too broadly expressed, and the data subjects cannot assess what such personal data processing may entail. It’s also not enough to specify "controls" as the purpose of logging and monitoring, but also to indicate the purpose of the control.
The purpose must also be justified. This means that the processing of personal data must have a legal basis in the General Data Protection Regulation and must be carried out in accordance with other applicable legislation and general legal principles.
Process collected personal data in new ways?
Of course, it’s difficult to think of all possible scenarios at the beginning of a project where personal data is collected. Often, needs appear that were difficult to predict.
If the new needs fit within the original purposes, it’s sufficient to inform the data subjects about the new personal data processing before it begins.
If, on the other hand, it’s a question of using the personal data in a new way, a new consent to personal data processing has to be given. Then we have to start from scratch and find a legal basis for the processing of personal data, making sure that it takes place in accordance with the basic principles and so on...
We have now launched the 2024 version of Privacy and GDPR for all employees. A brand new course with updated content over fewer lessons, but with more interactive touch points giving your organisation's DPO a better understanding of the level of your organisations' awareness.
To increase engagement and awareness, this new course also focuses on why GDPR and privacy is important both at work – and in your private life.